user_access_token_controller.rb 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121
  1. # Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/
  2. class UserAccessTokenController < ApplicationController
  3. prepend_before_action :authenticate_and_authorize!
  4. =begin
  5. Resource:
  6. GET /api/v1/user_access_token
  7. Response:
  8. {
  9. "tokens":[
  10. {"id":1,"label":"some user access token","preferences":{"permission":["cti.agent","ticket.agent"]},"last_used_at":null,"expires_at":null,"created_at":"2018-07-11T08:18:56.947Z"}
  11. {"id":2,"label":"some user access token 2","preferences":{"permission":[ticket.agent"]},"last_used_at":null,"expires_at":null,"created_at":"2018-07-11T08:18:56.947Z"}
  12. ],
  13. "permissions":[
  14. {id: 1, name: "admin", note: "Admin Interface", preferences: {}, active: true,...},
  15. {id: 2, name: "admin.user", note: "Manage Users", preferences: {}, active: true,...},
  16. ...
  17. ]
  18. }
  19. Test:
  20. curl http://localhost/api/v1/user_access_token -v -u #{login}:#{password}
  21. =end
  22. def index
  23. tokens = Token.select(Token.column_names - %w[persistent token])
  24. .where(action: 'api', persistent: true, user_id: current_user.id)
  25. .reorder(updated_at: :desc, name: :asc)
  26. base_query = Permission.reorder(:name).where(active: true)
  27. permission_names = current_user.permissions.pluck(:name)
  28. ancestor_names = permission_names.flat_map { |name| Permission.with_parents(name) }.uniq -
  29. permission_names
  30. descendant_names = permission_names.map { |name| "#{SqlHelper.quote_like(name)}.%" }
  31. permissions = base_query.where(name: [*ancestor_names, *permission_names])
  32. descendant_names.each do |name|
  33. permissions = permissions.or(base_query.where('permissions.name LIKE ?', name))
  34. end
  35. permissions.select { |permission| permission.name.in?(ancestor_names) }
  36. .each { |permission| permission.preferences['disabled'] = true }
  37. render json: {
  38. tokens: tokens.map(&:attributes),
  39. permissions: permissions.map(&:attributes),
  40. }, status: :ok
  41. end
  42. =begin
  43. Resource:
  44. POST /api/v1/user_access_token
  45. Payload:
  46. {
  47. "label":"some test",
  48. "permission":["cti.agent","ticket.agent"],
  49. "expires_at":null
  50. }
  51. Response:
  52. {
  53. "name":"new_token_only_shown_once"
  54. }
  55. Test:
  56. curl http://localhost/api/v1/user_access_token -v -u #{login}:#{password} -H "Content-Type: application/json" -X PUT -d '{"label":"some test","permission":["cti.agent","ticket.agent"],"expires_at":null}'
  57. =end
  58. def create
  59. if Setting.get('api_token_access') == false
  60. raise Exceptions::UnprocessableEntity, 'API token access disabled!'
  61. end
  62. if params[:name].blank?
  63. raise Exceptions::UnprocessableEntity, __("The required parameter 'name' is missing.")
  64. end
  65. token = Token.create!(
  66. action: 'api',
  67. name: params[:name],
  68. persistent: true,
  69. user_id: current_user.id,
  70. expires_at: params[:expires_at],
  71. preferences: {
  72. permission: params[:permission]
  73. }
  74. )
  75. render json: {
  76. token: token.token,
  77. }, status: :ok
  78. end
  79. =begin
  80. Resource:
  81. DELETE /api/v1/user_access_token/{id}
  82. Response:
  83. {}
  84. Test:
  85. curl http://localhost/api/v1/user_access_token/{id} -v -u #{login}:#{password} -H "Content-Type: application/json" -X DELETE
  86. =end
  87. def destroy
  88. token = Token.find_by(action: 'api', user_id: current_user.id, id: params[:id])
  89. raise Exceptions::UnprocessableEntity, __('The API token could not be found.') if !token
  90. token.destroy!
  91. render json: {}, status: :ok
  92. end
  93. end